| Matthias Andreas Benkard | 832a54e | 2019-01-29 09:27:38 +0100 | [diff] [blame] | 1 | /* |
| 2 | Copyright 2014 The Kubernetes Authors. |
| 3 | |
| 4 | Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | you may not use this file except in compliance with the License. |
| 6 | You may obtain a copy of the License at |
| 7 | |
| 8 | http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | |
| 10 | Unless required by applicable law or agreed to in writing, software |
| 11 | distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | See the License for the specific language governing permissions and |
| 14 | limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | package admission |
| 18 | |
| 19 | import ( |
| 20 | "io" |
| 21 | |
| 22 | "k8s.io/apimachinery/pkg/runtime" |
| 23 | "k8s.io/apimachinery/pkg/runtime/schema" |
| 24 | "k8s.io/apiserver/pkg/authentication/user" |
| 25 | ) |
| 26 | |
| 27 | // Attributes is an interface used by AdmissionController to get information about a request |
| 28 | // that is used to make an admission decision. |
| 29 | type Attributes interface { |
| 30 | // GetName returns the name of the object as presented in the request. On a CREATE operation, the client |
| 31 | // may omit name and rely on the server to generate the name. If that is the case, this method will return |
| 32 | // the empty string |
| 33 | GetName() string |
| 34 | // GetNamespace is the namespace associated with the request (if any) |
| 35 | GetNamespace() string |
| 36 | // GetResource is the name of the resource being requested. This is not the kind. For example: pods |
| 37 | GetResource() schema.GroupVersionResource |
| 38 | // GetSubresource is the name of the subresource being requested. This is a different resource, scoped to the parent resource, but it may have a different kind. |
| 39 | // For instance, /pods has the resource "pods" and the kind "Pod", while /pods/foo/status has the resource "pods", the sub resource "status", and the kind "Pod" |
| 40 | // (because status operates on pods). The binding resource for a pod though may be /pods/foo/binding, which has resource "pods", subresource "binding", and kind "Binding". |
| 41 | GetSubresource() string |
| 42 | // GetOperation is the operation being performed |
| 43 | GetOperation() Operation |
| 44 | // GetObject is the object from the incoming request prior to default values being applied |
| 45 | GetObject() runtime.Object |
| 46 | // GetOldObject is the existing object. Only populated for UPDATE requests. |
| 47 | GetOldObject() runtime.Object |
| 48 | // GetKind is the type of object being manipulated. For example: Pod |
| 49 | GetKind() schema.GroupVersionKind |
| 50 | // GetUserInfo is information about the requesting user |
| 51 | GetUserInfo() user.Info |
| 52 | |
| 53 | // AddAnnotation sets annotation according to key-value pair. The key should be qualified, e.g., podsecuritypolicy.admission.k8s.io/admit-policy, where |
| 54 | // "podsecuritypolicy" is the name of the plugin, "admission.k8s.io" is the name of the organization, "admit-policy" is the key name. |
| 55 | // An error is returned if the format of key is invalid. When trying to overwrite annotation with a new value, an error is returned. |
| 56 | // Both ValidationInterface and MutationInterface are allowed to add Annotations. |
| 57 | AddAnnotation(key, value string) error |
| 58 | } |
| 59 | |
| 60 | // privateAnnotationsGetter is a private interface which allows users to get annotations from Attributes. |
| 61 | type privateAnnotationsGetter interface { |
| 62 | getAnnotations() map[string]string |
| 63 | } |
| 64 | |
| 65 | // AnnotationsGetter allows users to get annotations from Attributes. An alternate Attribute should implement |
| 66 | // this interface. |
| 67 | type AnnotationsGetter interface { |
| 68 | GetAnnotations() map[string]string |
| 69 | } |
| 70 | |
| 71 | // Interface is an abstract, pluggable interface for Admission Control decisions. |
| 72 | type Interface interface { |
| 73 | // Handles returns true if this admission controller can handle the given operation |
| 74 | // where operation can be one of CREATE, UPDATE, DELETE, or CONNECT |
| 75 | Handles(operation Operation) bool |
| 76 | } |
| 77 | |
| 78 | type MutationInterface interface { |
| 79 | Interface |
| 80 | |
| 81 | // Admit makes an admission decision based on the request attributes |
| 82 | Admit(a Attributes) (err error) |
| 83 | } |
| 84 | |
| 85 | // ValidationInterface is an abstract, pluggable interface for Admission Control decisions. |
| 86 | type ValidationInterface interface { |
| 87 | Interface |
| 88 | |
| 89 | // Validate makes an admission decision based on the request attributes. It is NOT allowed to mutate |
| 90 | Validate(a Attributes) (err error) |
| 91 | } |
| 92 | |
| 93 | // Operation is the type of resource operation being checked for admission control |
| 94 | type Operation string |
| 95 | |
| 96 | // Operation constants |
| 97 | const ( |
| 98 | Create Operation = "CREATE" |
| 99 | Update Operation = "UPDATE" |
| 100 | Delete Operation = "DELETE" |
| 101 | Connect Operation = "CONNECT" |
| 102 | ) |
| 103 | |
| 104 | // PluginInitializer is used for initialization of shareable resources between admission plugins. |
| 105 | // After initialization the resources have to be set separately |
| 106 | type PluginInitializer interface { |
| 107 | Initialize(plugin Interface) |
| 108 | } |
| 109 | |
| 110 | // InitializationValidator holds ValidateInitialization functions, which are responsible for validation of initialized |
| 111 | // shared resources and should be implemented on admission plugins |
| 112 | type InitializationValidator interface { |
| 113 | ValidateInitialization() error |
| 114 | } |
| 115 | |
| 116 | // ConfigProvider provides a way to get configuration for an admission plugin based on its name |
| 117 | type ConfigProvider interface { |
| 118 | ConfigFor(pluginName string) (io.Reader, error) |
| 119 | } |